All intrusions to computing systems are commenced with the purpose of accessing either the information, processing or communication facilities of those systems. For example, a person may wish to gain shell access to a system to run programs thereon. A person might also wish to gain access to personal or financial information stored on the hard drive of a computer, by which that person might form a profile of that person or steal his identity. Recently, intrusive attacks frequently send surreptitious email messages to others, or convert the computing system into a “zombie”, a system that can be remotely controlled to send messages, intrusive attacks or large quantities of communications to cripple other computing systems.
Of the most frequently used intrusive methods, viruses are perhaps the most common. Originally, a virus was understood to be a code fragment that could “infect” other executable code and thereby propogate itself to programs or other executable objects. Early viruses propagated from infected programs at the time those programs were started, by copying the virus code fragment to other accessible executable objects. Viruses could also be crafted to infect the master boot record of disks, and other program objects. More recently, programs that propogate by email attachment have been referred to as viruses. Those viruses use methods that are more sophisticated than the early viruses, and may infect a computer (rather than just an executable program) by copying one or more applications thereto and configuring the computer to automatically execute the virus software. Modern email viruses may scan a hard disk for email addresses to which new emails may be sent containing a virus.
Of the many virus types, one characteristic is generally shared. Viruses require some user intervention in order to propogate. This user intervention might be executing an infected executable, booting from an infected disk, or executing an email attachment. Worms, a second category of intrusive programs, do not require user intervention. Worms take advangate of weaknesses in the security of a computing system, which weaknesses are called “exploits.” Exploits might be as simple as passwords that are missing or too simple to provide adequate security. Other attacks utilize buffer overflow weaknesses or other bugs to capture execution of a program by carefully crafted messages transmitted over a network. The most effective countermeasure to worms has proven to be the firewall; although if an exploit can be found for an application operating on a commonly used port even a firewalled system may be vulnerable.
A worm or virus may modify the storage of a computer to provide repeated execution even if the computing system is rebooted. Referring now to FIG. 9A, the organization of a typical executable produced from a compiler is conceptually shown. The executable 900 contains a block of program data 904, followed by program code 908 initiated by directing a processor to begin execution at location 906 “ProgStart”. Now different executables will have blocks of data in various sizes, and therefore the offset of “ProgStart” 908 from the beginning of the executable file 900 varies. At the time the executable 900 is produced, the compiler generates a jump instruction 902 to the program start location 906, thereby permitting the operating system to run the executable program.
A virus may modify an executable file as shown in FIG. 9A to a form shown in FIG. 9B, thereby causing infection. The virus first modifies executable file 900 by appending virus code 912 to the end of the file, resulting in the three blocks of data and code shown in infected program 900v. The virus modifies the vector of jump instruction 902 to point to the start 910 of the virus code 912, and saves the old program vector in a new jump instruction 914. The infected program, when executed, first starts at “VirusStart” 910, which executes the virus code 912. When the virus code completes, execution of the original program code 908 then executes at “ProgStart” 906. The execution of the virus code may operate silently, without any noticable effect by a user, and may thereby continue undetected for some period of time.
A program infected as shown in FIG. 9B may be disinfected, by resetting vector 902v back to the program start location 906, and optionally by removing the virus code 912 from the end of the program. That operation is typically undertaken by an anti-virus program, which operates as conceptually shown in FIG. 10. An anti-virus process 1000 has accessible thereto a fingerprint database 1002, which contains information to detect viruses written to files and optionally configuration to conduct disinfection operations on infected files. At periodic times, the anti-virus process 1000 scans a file system 1004, by reviewing files 1006a-n stored thereto. Each file is successively scanned against the fingerprint database 1002, and appropriate countermeasures are taken against detected infections. (An anti-virus program may not actually scan every file, but rather only those files which are possibly executed by the operating system.)
In the past, anti-virus software has successfully prevented many intrusions, resulting in the prevalence of anti-virus software today. Anti-virus methods, however, are limited in the number of intrusions for which protection is feasible. The object of a second type of intrusive attack is depicted in 9C. In this attack, no attempt is made to infect executable file 900. Rather, the entire file is overwritten with a new file 920, which contains its own jump vector 922, data 924, program start location 926 and code 928. New file 920 may be fashioned to include the functionality of program 900, with additional “back-door” functionality permitting an intruder to gain access (such intrusive programs are sometimes called “rootkits”). Although an anti-virus program might detect the intrusion, it cannot restore the original executable file 900 by resetting a vector and removing the intrusive code. Rather, the original code and file must be entirely restored. Although in theory an anti-virus program might perform this restoration, the number of executables produced for any popular architecture is large; a restoration database is thereby practically impossible to distribute. Upon detection, the user is left to restore the executable file from a backup copy, or repeat the installation steps for the application and/or operating system.
The last intrusive type, becoming more and more common, relies on a user to install a software package to a computing system. The user may be deceived into installing an application with intrusive functionality. For example, spyware programs may scan (or “mine”) a hard drive for account numbers or passwords that can be used by identity thieves to steal money or information. Other spyware programs may record a user's keystrokes, websites visited, or other information that might be used to a third-party's advantage. Because these applications are installed overtly, with the permission of the user, detecting and countering these intrusions may be especially difficult. Even worse, if an application is provided by the Internet, it may be changed frequently by the author to avoid detection by common fingerprint methods, thereby becoming stealthy to anti-viral software.
Presently, there are a number of organizations, including anti-virus software makers, operating system makers and governmental bodies, that watch the Internet for newly discovered exploits and intrusive programs. These “counter-intrusive specialists” have helped a great deal, producing patches for software and creating or updating anti-intrusion software programs. These programs and patches, however, take time to produce, usually within a period of weeks to months. This delay subjects users of the Internet to the risks of newly released intrusive programs, for which an adequate solution has yet to be found.